The Commonwealth of Virginia has passed its own privacy law for Virginia consumers: the Consumer Data Protection Act (CDPA) – inspired by the California Consumer Privacy Act (CCPA) and the proposed Washington Privacy Act. Virginia’s House and Senate legislatures approved the CDPA within a three week time period — and is now with the governor to be signed into law.
Like the proposed Washington Privacy Act and CCPA before it, CDPA introduces a new set of rights to Virginian consumers — and places new obligations on data controllers and processors
What is CDPA?
Largely modelled on the Washington Privacy Act, CDPA applies to persons that conduct business in the Commonwealth of Virginia or produce products or services that target Virginia residents — and:
- control or process the personal data of 100,000 or more Virginia consumers during a calendar year
- control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
The CDPA includes a number of relevant exemptions, such as those for:
- financial institutions subject to Title V of GLBA
- covered entities and business associates governed by HIPAA/ HITECH privacy, security, and breach notification rules
- nonprofit organizations
- institutions of higher education institutions
CCPA, on the other hand, only exempts the data regulated by GLBA and HIPAA.
In addition, the proposed CDPA exempts 14 categories of information from its coverage, including —but not limited to — HIPAA protected health information and personal data regulated by the FCRA, FERPA, the Driver’s Privacy Protection Act, and Farm Credit Acts. Data collected in the context of employment is also outside the scope of the CDPA.
New Data Definitions
Under CDPA this means: “any information that is linked or reasonably linked to an identified or identifiable natural person.” This excludes publicly available and de-identified data — and the law has specific standards on how to handle de-identified data.
What businesses need to do: Discover and inventory all sensitive and personal data belonging to an identity — direct and inferred — for a full picture of what consumer data you’re collecting.
Sensitive Data Category
CDPA defines sensitive data as:
- data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, citizenship, or immigration status
- genetic or biometric data
- data collected from a child, or
- precise geolocation data
Controllers may only process sensitive data with consumer consent — or “parental consent” for children’s data in accordance with the Children’s Online Privacy Protection Act (COPPA).
What businesses need to do: Automatically find, identify, and classify all your sensitive data wherever it lives — on-prem, in the cloud, and hybrid — across all data sources, at petabyte scale. Validate whether geolocation is being captured.
Requirements Under CDPA
Virginia consumers’ rights with respect to personal data include:
- right of access, which includes a right to confirm whether an organization is processing consumer’s personal data — as well as the right to access that information
- right to correction
- right to deletion
- right to data portability
- right to opt-out of processing for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Action must be taken on consumer requests within 45 days of receipt of the request and organizations must establish an internal appeal process for cases when a controller refuses to take action on a consumer request.
What businesses need to do: Enable your organization to fulfill consumer requests by:
- quickly and effectively reacting to regulatory requirements, enabling correction workflows, fulfilling all consumer data requests at scale, and reporting on activity
- determining what data should be deleted and where it’s located — and ensuring ongoing deletion validation via automated queries
- tracking and documenting preference management, consent, and all third-party data sharing
Requirements for Data Controllers
Data Protection Assessments
The proposed law obligates controllers to conduct data protection assessments involving personal data with respect to each of the following processing activities:
- the processing of personal data for purposes of targeted advertising
- the sale of personal data
- the processing of personal data for purposes of profiling where such profiling presents a reasonably foreseeable risk of a substantial injury to consumers
- the processing of sensitive data
- any processing activities involving personal data that present a heightened risk of harm to the consumer
What businesses need to do: Inventory data; document data flows, RoPA, and sharing activity; and automate the assessment process for a stronger privacy management program.
The controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified and express purpose for which such data is processed — as disclosed to the consumer.
What businesses need to do: Define and enforce data retention rules with automated workflows — and uncover duplicate, derivative, and similar data for privacy-compliant governance and effective reporting.
Avoidance of Secondary Use
Unless a controller obtains a consumer’s consent, controllers are not allowed to process personal data for purposes that are not reasonably necessary to, or compatible with, the specified and express purposes for which personal data is processed, as disclosed to the consumer.
What businesses need to do: Track and document preference management and consent governance obligations with respect to sensitive data.
Controllers are required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect confidentiality, integrity, and accessibility of personal data.
What businesses need to do: Discover and correlate personal information like an email address with passwords to better protect it from potential breaches. Identify potentially impacted users from known data breaches for proactive incident response.
Additional Requirements for Data Processors
Under the CDPA, data processing activities must be governed by a written contract between a controller and a processor containing processing instructions. The contract must specify:
- the nature and purpose of processing
- the type of personal data subject to processing
- the duration of processing
- obligations and rights of both parties
What businesses need to do: In addition to ensuring appropriate data protection terms within agreements, controllers must monitor and track their third-party data sharing flows.
At the direction of the controller, the processor is required to delete or return all personal data to the controller at the conclusion of its services. The processor is required to make available to the controller all information necessary to demonstrate its compliance with the obligations under the law — as well as to allow for audits and inspections.
What businesses need to do: Processors need to have the ability to remediate any personal data they receive from the controller — and enable validation scans to ensure that data is deleted.
In addition, processors must ensure that persons processing personal data are subject to confidentiality obligations and engage subcontractors pursuant to a written agreement that requires subcontractors to meet obligations imposed on the processors.
Processors must also assist controllers in meeting their obligations under the law and provide controllers with information necessary to conduct and document their data protection assessments.
What businesses need to do: Processors must create their own data inventory and document business flows in order to readily respond to any data rights requests that the controllers they work with may receive from consumers.
CDPA Enforcement and Effective Date
CDPA is enforceable through civil actions brought by Virginia’s state attorney general. Though there is no private right of action for consumers, the AG is authorized to bring civil actions on behalf of the consumers, subject to a 30-day cure notice provision — and can seek damages of up to $7,500 for each violation of the act affecting the consumer.
The law is set to go into effect January 1, 2023, the same day that the California Privacy Rights Act (CPRA) — the new version of CCPA — is also slated to go into effect.
The Virginia law is part of a growing bipartisan trend of state legislatures looking to enact comprehensive privacy legislation. In addition, there’s a growing consensus that the VA model will inspire other states based on the speed of adoption. And of course, the more state laws we see, the more motivation is created for Congress to work together on passing federal privacy legislation. Get a 1:1 demo to see how BigID helps organizations address the upcoming requirements for CDPA compliance – and build a sustainable, proactive privacy program to address current and emerging regulations.